==
» » » » » » Cisco Network Troubleshooting ASA

Cisco Network Troubleshooting ASA

, , , ,
************************************************************************************************************************************************************************************************************************************************************************

Cisco Network Troubleshooting

Ping
Traceroute
Telnet
Show interfaces
Show ip interface
Show ip route
Show running-config
Show startup-config
Troubleshooting Tools

This chapter presents information about the wide variety of tools available to assist you in troubleshooting your internetwork. This includes information on using router diagnostic commands, Cisco network management tools, and third-party troubleshooting tools.
Using Router Diagnostic Commands
Cisco routers provide numerous integrated commands to assist you in monitoring and troubleshooting your internetwork. The following sections describe the basic use of these commands:
The show commands help monitor installation behavior and normal network behavior, as well as isolate problem areas.
The debug commands assist in the isolation of protocol and configuration problems.
The ping commands help determine connectivity between devices on your network.
The trace commands provide a method of determining the route by which packets reach their destination from one device to another.
Using show Commands
The show commands are powerful monitoring and troubleshooting tools. You can use the show commands to perform a variety of functions:
Monitor router behavior during initial installation
Monitor normal network operation
Isolate problem interfaces, nodes, media, or applications
Determine when a network is congested
Determine the status of servers, clients, or other neighbors
The following are some of the most commonly used show commands:
show version—Displays the configuration of the system hardware, the software version, the names and sources of configuration files, and the boot images.
show running-config—Displays the router configuration currently running.
show startup-config—Displays the router configuration stored in nonvolatile RAM (NVRAM).
show interfaces—Displays statistics for all interfaces configured on the router or access server. The resulting output varies, depending on the network for which an interface has been configured.
show controllers—Displays statistics for interface card controllers.
show flash—Displays the layout and contents of Flash memory.
show buffers—Displays statistics for the buffer pools on the router.
show memory summary—Displays memory pool statistics and summary information about the activities of the system memory allocator, and gives a block-by-block listing of memory use.
show process cpu—Displays information about the active processes on the router.
show stacks—Displays information about the stack utilization of processes and interrupt routines, as well as the reason for the last system reboot.
show cdp neighbors—Provides a degree of reachability information of directly connected Cisco devices. This is an extremely useful tool to determine the operational status of the physical and data link layer. Cisco Discovery Protocol (CDP) is a proprietary data link layer protocol.
show debugging—Displays information about the type of debugging that is enabled for your router.
You can always use the ? at command line for a list of subcommands.
Like the debug commands, some of the show commands listed previously are accessible only at the router's privileged exec mode (enable mode). This will be explained further in the "Using debug commands" section.
Hundreds of other show commands are available. For details on using and interpreting the output of specific showcommands, refer to the Cisco Internetwork Operating System (IOS) command references.
Using debug Commands
The debug privileged exec commands can provide a wealth of information about the traffic being seen (or not seen) on an interface, error messages generated by nodes on the network, protocol-specific diagnostic packets, and other useful troubleshooting data. To access and list the privileged exec commands, enter this code:
Router> enable
Password: XXXXXX
Router# ?
Note the change in the router prompts here. The # prompt (instead of the normal > prompt) indicates that you are in the privileged exec mode (enable mode).
1. ifconfig
ifconfig (interface configurator) command is use to initialize an interface, assign IP Address to interface and enable or disableinterface on demand. With this command you can view IP Addressand Hardware / MAC address assign to interface and also MTU(Maximum transmission unit) size.
# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:28:FD:4C
inet addr:192.168.50.2  Bcast:192.168.50.255  Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe28:fd4c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:6093 errors:0 dropped:0 overruns:0 frame:0
TX packets:4824 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6125302 (5.8 MiB)  TX bytes:536966 (524.3 KiB)
Interrupt:18 Base address:0x2000
lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:8 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:480 (480.0 b)  TX bytes:480 (480.0 b)
ifconfig with interface (eth0) command only shows specific interface details like IP Address, MAC Address etc. with -a options will display all available interface details if it is disable also.
# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0C:29:28:FD:4C
inet addr:192.168.50.2  Bcast:192.168.50.255  Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe28:fd4c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:6119 errors:0 dropped:0 overruns:0 frame:0
TX packets:4841 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6127464 (5.8 MiB)  TX bytes:539648 (527.0 KiB)
Interrupt:18 Base address:0x2000








Switch troubleshooting:


Clear mac address-table dynamic  - helps determie if a previously learnt mac address is relearnt
Show mac address-table 
Show vlan 
Show interfaces trunk 
Show interfaces switchport – summary information for a port on the switch
Traceroute src_mac dst_mac – uses CDP to list the switches to be transited for the traffic travelling form source to dest mac
Show interfaces status – link status on switches. Info includes VLAN status, duplex settings, description, type
Sho interfaces stats – statistics for each interface
show interfaces if_number counters – number of input and output unicast, multicast and broadcast packets
show interfaces if_number counters errors – number of interface errors

Show ip cef – shows router’s Layer 3 forwarding information in addition to multicast, broadcast and local IP address
Show adjacency – verifies if valid adjacencies exist

show platform
sho mls cef
sho ip route ip-address
sho ip arp ip-address
sho interfaces vlan vlan-id
sho ip cef ip-address
sho adjacency interface-id detai
sho platform forward

sho ip route ip-address – is it a routing problem
show ip arp ip-nexthop-address – if entry missing or incomplete, then it is either destination missing or a Layer 2 problem.

Show ip cef dest-ip-address
Show adjacency [ip-address] [detail] – “detail” shows the frame re-write information (Complete Ethernet header).
show ip cef adjacency ………
Show platform forward ingress-if ingress-vlan source-mac dest-mac protocol-type source-ip dest-ip type-protocol [ICMP-type and code]
show cef not-cef-switched


Routing

Show ip route ip-address
show ip route ip-address network-mask
show ip route ip-address network-mask longer-prefixes
Show ip cef ip-address – searches the FIB for the route
Show ip cef ip-address net mask
show ip cef exact-route source destination – the exact adjacency that will be used to forward packets with the source and destination address. Can be used when RIB and FIB contain two or more equal routes for a particular prefix.  show ip cef exact-route 50.50.50.2 192.168.20.1  internal
Show adjacency detail – full frame header that will be used to encapsulate the packet. If the correct route is in routing table, but packets do not arrive at destination, it is worth checking Layer 3-Layer 2 mapping.
OSPF

Show ip ospf – information about ospf process and areas configuration
show ip ospf interface [brief] – all interfaces that have an IP that is covered by one of the network statements under
show ip ospf neighbour – all discovered neighbours
show ip ospf database – contents of the LSA database
show ip ospf statistics – when and how often has the SPF algorithm been executed. Helpful when diagnosing router instability.
show ip route profile – the frequency of routing table changes with 5-sec intervals

debug ip routing – any changes to the routing table such as installing and removing a route. Useful to trouble shoot routing protocol instability
debug ip ospf packet – useful to verify that Hellos are sent or received as expected
debug ip ospf events – reception and transmission of hellos, establishing adjacencies, reception and transmission of LSAs.
debug ip ospf adjacency – adjacency building process and neighbour relationship transitions from one state to another
debug ip ospf monitor – displays when the SPF algorithm is scheduled to run and summary of the results after it has been completed. It can show which LSA trigger the SPF, e.g. a flapping link

BGP




Show ip bgp summary – router ID and AS number, statistics and the memory usage of the BGP process, overview and state of the configured neighbours.
Show ip bgp neighbours [ip-address]- detailed information about all neighbours
Sho ip bgp [network / mask] the contents of the bgp table, paths and attributes
Show ip bgp neighbour ip-address routes – all routes received by a neighbour
Show ip bgp neighbour ip-address advertised-routes 
Show ip bgp regexp regularexpression – all routes that are matched by a particular expression
Show ip bgp rib-failure – bgp routes that have not been installed in routing table
clear ip bgp {* | address | peer-group-name} [soft in|out]

Debug ip bgp – bgp related event, mainly in establishing peer relationships. Does not display content of the BGP updates and is relatively save to use.
Debug ip bgp updates – transmission and reception of BGP updates. Can produce very large amount of data and can overload the router
Debug ip bgp ip-address updates access-list – to limit updates
Debug ip tcp transactions


NAT

clear nat translations  - specify which translations to clear. Clearing it all can cause disruption
show ip nat translations
show ip nat statistics [verbose]

debug ip nat – information about each packet that the router translates.
debug ip nat detailed – also displays information about  certain error and failure conditions
debug ip packet [access-list]
debug condition interface if_number – information about the packets entering or leaving the router on the specified interfaces



IP NetFlow

(config-if)#ip flow ingress
(config)#ip flow export version version_no
(config)#ip flow export destination ip_add port_no
or

(config-if)#ip route-cache flow

show ip cache flow
show ip flow export
show ip flow interface

debug ip flow export


IPSec VPN

show crypto ipsec sa
show crypto engine connections active - This command shows each phase 2 SA built and the amount of traffic sent. Since phase 2 (security associations) SAs are unidirectional, each SA shows traffic in only one direction (encryptions are outbound, decryptions are inbound).
show crypto map

show crypto session x.x.x.x [detail] - very important command!!!





To restrict debug only to particular peer: 
debug crypto condition peer ipv4 x.x.x.x


debug crypto isakmp 
debug crypto ipsec



show interface tunnel
debug  tunnel




PIXASA Troubleshooting

show xlate [detail | debugging] - show NAT translations slots

show local-host [ip_address] [brief | detail | all  ] - Shows all NATs, and sessions to, form and via the ASA

show connections  - show information about TCP sessions (PIX)






Others

t    terminal monitor - to send the debug messages to vty (when ssh or telnet)

show debugging - to see debug currently running 
     debug ip icmp  



Security 

Note for all routers, ASA, PIX: ACLs (Access lists) are always checked before the NAT translations.
On ASA devices: By default all traffic is permitted from interfaces with higher to interfaces with lower level of security and always blocked from lower to higher.

Packet inspection on Cisco ASA:
RoutingTable-> ACL_in-> NAT-> VPN-> QoS-> ACL_out






  • Configure the access-lists with criteria of packets to be captured.


(config) # access-list capture_list_name extended permit ip host 172.1.1.1 host 172.1.2.2
  • Start the packet capture process

#capture  capture_name interface inside access-list asdm_cap_selector_inside
  • Capture can also be done without access list 

# capture test match tcp 10.1.1.1 255.255.255.255 10.2.2.2 255.255$# capture test interface outside match ...
  • 
The real time option will display packets on screen as apposed to saving them
#capture test interface outside real-time
  • To stop packet capture


#no capture  capture_name
  • To see captured packets:


#show capture#show capture name [dump | detail ]          
  • To copy capture to   to external server:


# copy capture:session-name tftp://server/path [pcap]
  • If http server is enabled,  the capture can be accessed via web browser:


https://asa_address/capture/session_name[/pcap]

  • To stop capture and delete capture buffer

# no capture capture_name  
  • To empty capture buffer


# clear capture capture_name

  • To capture packets being drooped by the asa:


# capturesession_name type asp-drop drop-code [parameters]
Example

# capture my_capture type asp-drop acl-drop match tcp 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 eq 22


Troubleshooting NAT


show xlate [detail | debugging] - show NAT translations slotsshow local-host [ip_address] [brief | detail | all  ] - Shows all NATs, and sessions to, form and via the ASA


Display active ASA sessions:
show conn  
It can be fitlered on different cryteria:
show conn all address 10.1.1.1  detail
Details displayed with the following flags:        A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,       B - initial SYN from outside, b - TCP state-bypass or nailed,       C - CTIQBE media, c - cluster centralized,       D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,       G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,       i - incomplete, J - GTP, j - GTP data, K - GTP t3-response       k - Skinny media, M - SMTP data, m - SIP media, n - GUP       O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,       q - SQL*Net data, R - outside acknowledged FIN,       R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,       s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,       V - VPN orphan, W - WAAS,       X - inspected by service module,       x - per session, Y - director stub flow, y - backup stub flow,       Z - Scansafe redirection, z - forwarding stub flow


TCP Ping
telnet to port is not supported on ACA ,but tcp ping does the same and even more. You need to specify interface and source and destination port
# ping tcp inside 1.1.1.1 22 source 2.2.2.2 12345




To see users currently logged in:show ssh sessionshow asdm sessions

To enable syslog for user activity:logging list buffer_log message 111008logging list buffer_log message 111009logging list buffer_log message 111010logging list buffer_log message 605005logging buffered buffer_log


Logging levels on ASAEmergencies        (severity=0)Alert                  (severity=1)Critical               (severity=2)Errors                (severity=3)Warnings           (severity=4)Notifications       (severity=5)Informational       (severity=6)Debugging          (severity=7)


Troubleshoot access lists:

What ACL are applied:
# show run access-group
Identify crypto map
#  show running-config crypto map | begin 200
·         Check access list objects and counters. You can use source address to see access list entries matching the expression
# show access-list | grep 192.168.0.
# show access-list acl_inside_in 10.10.0.140  | grep 192.168.0
  access-list acl_inside_in line 4 extended permit ip 10.10.0.0 255.255.0.0 192.168.0.112 255.255.255.240 (hitcnt=9209) 0x722450c2
# show running-config access-list acl_inside_in
access-list acl_inside_in extended permit ip object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_NETWORK_11
object-group network DM_INLINE_NETWORK_11
 network-object host 192.168.100.10
 network-object host 192.168.100.2
************************************************************************************************************************************************************************************************************************************************************************




Admin

Pro Teknologi dibuat pada 22 Februari 2017. Blog ini adalah harapan saya agar dapat membagi manfaat kepada orang lain,berupa tips-tips Seputar Blog,Internet,Komputer,dan Info-Info Menarik lainnya.

0 Response to "Cisco Network Troubleshooting ASA"

Post a Comment

Subscribe to: Post Comments (Atom)